Updated Anti-Spam Best Practices Blog Post

[L. Mark Stone]

During 2025 we worked hard on improving our anti-spam best practices and today released an updated version of our blog post (originally written in 2019!) incorporating all of those improvements:

https://www.missioncriticalemail.com/20 ... practices/

The biggest change is a major rewrite of our custom /opt/zimbra/data/spamassassin/zzsauser.cf file, with an emphasis on custom anti-phishing rules; SpamAssassin efficiency improvements (we turn off a lot of SA DNS lookups that really didn't add anything to the results sets); tuning to allow for longer DNS replies, especially as regards big SPF records, and; penalizing senders who don't send authenticated email or who use a DMARC policy of "none".

We also discovered two Zimbra bugs, where both SA and Bayes need working directories under /opt/zimbra that the Zimbra installer never creates. Since the Zimbra Linux user has no write permissions to its home directory /opt/zimbra, even if you thought you were using Bayes, you weren't -- the state databases never got created.

The workaround for the Bayes issue is to tell Bayes in /opt/zimbra/data/spamassassin/zzsauser.cf to use a different directory, and for the SA directory bug, to manually create /opt/zimbra/.spamassassin as root, and then change the ownership to zimbra:zimbra and chmod it accordingly.

We've deployed our updated customizations on our own hosting farm and across multiple clients' systems to good effect over the past few months, so felt it was time to share publicly.

Hope that helps,
Mark

[zimico]

Thank Mark very much for the very useful blog post. I am a fan and often visit your missioncriticalemail website.
My warmest regards,
Minh.

[jered]

Thanks for this. I've been looking for a set of anti-phishing rules because we've been getting so much fake Zimbra admin spam. It's infuriating.